From 1971dfbded21d16909e889ba6d19ff9cf3e4cb20 Mon Sep 17 00:00:00 2001
From: Thorsten Rossner <rossner@univention.de>
Date: Sun, 12 Nov 2023 15:52:22 +0000
Subject: [PATCH] fix(openproject): Add bootstrapping of Nextcloud filestore

---
 .gitlab-ci.yml                                | 12 +++++++
 helmfile.yaml                                 |  1 +
 .../apps/openproject-bootstrap/helmfile.yaml  | 36 +++++++++++++++++++
 .../apps/openproject-bootstrap/values.gotmpl  | 34 ++++++++++++++++++
 .../apps/openproject-bootstrap/values.yaml    | 25 +++++++++++++
 helmfile/apps/openproject/values.gotmpl       |  2 ++
 helmfile/environments/default/images.yaml     |  8 +++--
 .../environments/default/persistence.yaml     |  2 +-
 helmfile/environments/default/secrets.gotmpl  |  2 ++
 9 files changed, 119 insertions(+), 3 deletions(-)
 create mode 100644 helmfile/apps/openproject-bootstrap/helmfile.yaml
 create mode 100644 helmfile/apps/openproject-bootstrap/values.gotmpl
 create mode 100644 helmfile/apps/openproject-bootstrap/values.yaml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index be27a05f..1481038b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -384,6 +384,18 @@ openproject-deploy:
   variables:
     COMPONENT: "openproject"
 
+openproject-bootstrap-deploy:
+  stage: "component-deploy-stage-2"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
+      when: "always"
+  variables:
+    COMPONENT: "openproject-bootstrap"
+
 jitsi-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
diff --git a/helmfile.yaml b/helmfile.yaml
index e94cbb12..aa39a68d 100644
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -20,6 +20,7 @@ helmfiles:
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"
+  - path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"
 
 missingFileHandler: "Error"
 
diff --git a/helmfile/apps/openproject-bootstrap/helmfile.yaml b/helmfile/apps/openproject-bootstrap/helmfile.yaml
new file mode 100644
index 00000000..bcaa3e6f
--- /dev/null
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # openDesk OpenProject Bootstrap
+  # Source: Set when repo is managed on Open CoDE
+  - name: "opendesk-openproject-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+releases:
+  - name: "opendesk-openproject-bootstrap"
+    chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
+    version: "1.2.1"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-2"
+  component: "opendesk-openproject-bootstrap"
+...
diff --git a/helmfile/apps/openproject-bootstrap/values.gotmpl b/helmfile/apps/openproject-bootstrap/values.gotmpl
new file mode 100644
index 00000000..61cdfdbc
--- /dev/null
+++ b/helmfile/apps/openproject-bootstrap/values.gotmpl
@@ -0,0 +1,34 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.openprojectBootstrap.repository }}"
+  tag: "{{ .Values.images.openprojectBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
+config:
+  openproject:
+    fileshareName: "Nextcloud at {{ .Values.global.domain }}"
+    admin:
+      username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+      password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  nextcloud:
+    admin:
+      username: "nextcloud"
+      password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+...
diff --git a/helmfile/apps/openproject-bootstrap/values.yaml b/helmfile/apps/openproject-bootstrap/values.yaml
new file mode 100644
index 00000000..e8d95441
--- /dev/null
+++ b/helmfile/apps/openproject-bootstrap/values.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+...
diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.gotmpl
index b1ac50b6..f58db868 100644
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -57,6 +57,8 @@ ingress:
 
 environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index 57bf601b..b36ae0c4 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -70,7 +70,7 @@ images:
   keycloakBootstrap:
     repository: "souvap/tooling/images/ansible"
     tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
-    # @supplier: "Univention"
+    # @supplier: "openDesk DevSecOps"
   keycloakExtensionHandler:
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
     tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
@@ -122,12 +122,16 @@ images:
     # @supplier: "Nextcloud Community"
   openproject:
     repository: "openproject/open_desk"
-    tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
+    tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
     # @supplier: "OpenProject"
   openprojectInitDb:
     repository: "postgres"
     tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
     # @supplier: "OpenProject"
+  openprojectBootstrap:
+    repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
+    tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
+    # @supplier: "openDesk DevSecOps"
   openxchangeBootstrap:
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
diff --git a/helmfile/environments/default/persistence.yaml b/helmfile/environments/default/persistence.yaml
index 8d507de4..f355875a 100644
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -12,7 +12,7 @@ persistence:
     matrixNeoDateFixBot: "1Gi"
     minio: "1Gi"
     nextcloud:
-      main: "1.2Gi"
+      main: "2Gi"
       data: "10Gi"
     postfix: "1Gi"
     postgresql: "1Gi"
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index 7356a0d9..d6954690 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -63,6 +63,8 @@ secrets:
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
+    apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}
+    apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_password" | sha1sum | quote }}
   collabora:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum | quote }}
   jitsi: